Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Proceso de certificación de gráficos
1. DO-178 B / C, EASA ED-12C and DO-254
Graphics Certification Process
2. DO-178C Software Development Phases
Formal 6 Phase Development Process
1. Planning Phase
2. Requirements Phase
3. Design Phase
4. Coding Phase
5. Integration Phase
6. Testing Phase
Each Phase has specified:
Objectives, Input, Output and Activities
Integral Process Activities (CM, QA, Verification and
Certification Authority Liaison)
Phase Transition Criteria
Phase Transition Review Assessment and Meeting with QA
transition approval
3. DO-178B/C Certification Package
• Certification Planning Documents (PSAC, SDP
and SVP)
• CoreAVI Process Documents (CMP and QAP)
• CoreAVI Standards (Requirements, Design and
Code)
• System, High-level and Low-Level Requirements
• Software Architecture Description
• Software Verification Results
– Software Test Plan
– Test Results
– Requirements Coverage Analysis
– Data & Control Coupling Analysis Report
– Structural Coverage Analysis Report
• Trace Matrices
• Executable Object Code
• Software Accomplishment Summary
• Software Configuration Index (includes SECI)
• Verification, Configuration Management, SQA
and Tool Qualification Artefacts are available for
Audit
Graphics Application
ArgusSC
Graphical Display(s)
E4690 GPU and Display
Controller Hardware
VxWorks 653 v2.3.0.1
Operating System
API 1
API 2
API 3 API 5 API 6
SCADE
Application Code
ArgusSC Kernel Mode Driver ArgusSC Shaders
4. OpenGL SC Example (E4690 GPU) - ArgusSC
• Modular Design (light green
imply ArgusSC software)
– 6 APIs exposed to the
graphics application
– 14 Modules with defined
interfaces (addresses data
and control coupling
certification requirements)
– ArgusSC Kernel Mode Driver
– E4690 Shader
CoreAVI EGL
EGL Upper Level
State Management
Carddata
OS Module
Abstraction of OS
requirements of Argus
VxWorks RTOS
And BSP
SysInit
Module
GPU
Registers, VRAM, DMA
buffer
ArgusSC Framework Internals
gl.h
glext.h
Memory Management
Module
Handles the
management of
graphics memory
Graphics Memory
Allocations
System Memory
Allocations
Error
Reporting
Setup Information
Obtain Initial
VRAM Memory
egl.h
eglext.h
eglplatform.
h
coreavi_display.h
coreavi_generic
_types.h
Dispatch Module
External Headers
os_helper.h
OS Helper
Render Module
GPU specific low level driver implementation
GPU Writes/Reads
Utilities
CoreAVI GL
OpenGL SC Upper Level
State
bit.h
Card Specific Library
(CSL)
Card specific driver
implementation
Display Output
Module
OSSpecific
Register/
DMA/VRAM
Reads&
Writes
ArgusSC Shaders
System
Initialization
ArgusSC Kernel
Mode Driver
5. OpenGL SC Example Con’t
Requirements
• One High Level Requirement per external API function (e.g. glVertex3f)
• 298 High Level Requirements
• One Low Level Requirement per internal function (e.g. CoreAVIGlVertex3f) which
describes the logical behavior that function must implement
• Each High Level Requirement describes what the external API Function does
• Each Low Level Requirement describes how the internal API function implements its
functionality
• 1235 Low Level Requirements
6. OpenGL SC Example Con’t
• Complete Set of Test Cases and Test Procedures
• Normal and Robustness Test Procedures
• 665 HLR-based Test Procedures
• 978 LLR-based Test Procedures
• Provides 100% Statement Coverage
• Specific Test Cases and Test Procedures for Decision and MC /DC
Coverage
7. DO-254 Certification Package
• The CoreAVI E4690 DO-254 Certification Package supports the use of a COTS
GPU within an graphics card (which employs an E4690 ) that is to be certified
to DO-254 Level C.
• The graphics card would also require a DO-254 Level C certification dataset that would
include the CoreAVI E4690 Certification Package
• The CoreAVI E4690 DO-254 Certification Package also supports the use of a
COTS GPU in to a DO-254 Level A system that includes architectural means to
mitigate the display of Hazard Misleading Information (HMI) as described in
CAST-29 position paper.
• The graphics card or board incorporating the E4690 and the architectural means of
mitigating HMI would also require a DO-254 certification dataset that would include the
CoreAVI E4690 Certification Package
8. DO-254 Certification Package
• Plan for Hardware Aspects of Certification (PHAC)
• Hardware Validation and Verification Plan (HVVP)
• Configuration Management Plan (CMP)
• Quality Assurance Plan (QAP)
• Electronic Components Management Plan (ECMP)
• Requirements Standards
• Hardware Requirements Data (HRD)
• Hardware Verification Cases & Procedures (HVCP)
• Hardware Verification Reports (HVR)
• Trace Matrices
• Hardware Accomplishment Summary (HAS)
• Configuration Management Records
• Quality Assurance Records
9. FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.2 Possible CGP Contribution to HMI on
Airborne Displays
• Implementing a formal and rigorous Preliminary System Safety Assessment
(PSSA) and System Safety Assessment (SSA) process, focussed on the display
system, is an essential step addressing this concern.
• Architecturally a display system which includes a self-monitoring scheme
implemented in the graphics pipeline to detect GPU anomalies that are
unlikely to be detected by the flight crew is a proven means to address this
issue.
• The display system architecture and monitoring scheme must be detailed in
the PSSA and SSA including how the monitoring mitigates all reasonable
failure modes during which the COTS GPU could cause an image to be
corrupted in a way that could lead to the display of HMI and a subsequent
Hazardous or Catastrophic airplane event.
10. FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.4 CGP Device Variation During Production Life
“CGPs, depending on the type, complexity, and supplier, may
exhibit performance variations across the production lifetime of
the device.”
– The system designer may mention that variations in the performance of the CGP
over the expected operating temperature range are factored into the published
electrical specifications
– For each COTS GPU, CoreAVI, as a value added re-seller of COTS GPUs, does the
following before the COTS GPU is shipped:
• manually inspects
• cleans (removes residue from ball grid areas),
• temperature-screens, by executing an extensive suite of tests at both
temperature extremes,
– In addition, for each CGP CoreAVI ships, CoreAVI maintains a record containing a
unique serial ID allowing traceability through to manufacturing and test history
11. FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.5 CGP Configurable Elements
“Many CGPs contain configurable elements. Some of these may
be selectable by loading specific microcode instructions into
the device.”
– ArgusSC loads pre-generated microcode (supplied by manufacturer of
the COTS GPU) for the following micro-controller functions:
• GPU’s command processor,
• Universal Video Decode (UVD) engine,
• Direct Memory Access (DMA) engine,
• Interrupt controller
– This pre-generated microcode is embedded-in and treated as ArgusSC
source code. As a result any change to the suppier microcode is
treated as a change to the certified ArgusSC software and would have
to go through a formal Change Request process that includes a
detailed impact analysis.
12. FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.6 CGP Changes after Certification
“The CGP part numbering, change control process, and revision
identification scheme used by the individual CGP suppliers may
not be understood by the system developer or applicant.”
– A ‘footprint’ identifies each batch of inventory with a unique license
(consisting of a quantity of specific lot/date code of product) and
tracks the actions taken against the license i.e. batch split, location
transfers, relative humidity exposure, testing and order allocation.
Additionally the lot and date code provides the framework for revision
control as lot and date codes are subject to specific revisions which is
also stored within the ‘FootPrint’ inventory management system.
– CoreAVI reviews all PCNs and CoreAVI’s quality manager identifies any
customer and inbound shipments that will be affected. When a
customer is to be notified of a PCN, the notification time frame will be
at least 30 days before the changes become effective.
13. FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.7 Unused CGP Functionality
“The CGP design may include functionality that will not be used
in the specific design of the airborne display system that could
result in unintended operation of the device if that function
were to be activated under unusual operating conditions or
failures.”
– During the DO-178C Level A certification process over 2000 ArgusSC test
procedures are executed on the target many of which specifically test the
robustness of the CGP.
– ArgusSC BIT API functions allow the graphics application to monitor GPU
registers associated with unused functionality and to determine whether the
registers have changed.
– the verification of the ArgusSC driver software according to DO-178C Level A
objectives while integrated with the GPU
– the execution of the GPU HLR-based test cases according to the DO-254 Level
C objectives
14. FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• CAST 29 Section 2.8 Open GL Software Drivers Compliance to DO-
178B/ED-12B
“CGPs may require graphics software that allows functional applications to
draw visual components on the display, e.g., a software package that
implements the OpenGL (Graphics Library) graphics drivers and
applications. The developer of the display system may not be the same
company that develops the graphics software. In addition, the software
graphics packages for the CGPs may not have been developed to the
guidance of DO-178B/ED-12B (or other acceptable means of compliance for
software).”
– CoreAVI’s ArgusSC OpenGL (Graphics Library) and any customer specific enhancements
are specifically designed and tested to meet the guidance of DO-178C/ED-12C DAL A.
– ArgusSC is tested on the target display system, the display system developer provides
system level requirements for the graphics software which are the genesis of all ArgusSC
non-derived requirements. Any concerns or disconnects with these requirements vs.
ArgusSC requirements are identified and addressed with the display system developer
15. FAA CAST-29/ EASA CM-SWCEH-001 Chapter 10
• EASA CM-SWCEH-001 Ch 10.1 - The following devices include some of the
concerns and issues that could arise when CGPs are used in safety-critical
airborne systems:
“Because CGPs are devices of very high complexity that typically have very short
design cycles, there is an increased possibility that they may contain design errors,
hardware failures or inappropriate responses to external events (e.g., EMI, high
operating temperature) that could result in the undetected display of Hazardously
Misleading Information (HMI) to the flight crew. If the resulting erroneous
information is not flagged as Invalid Data, it could induce the flight crew to take
inappropriate and potentially hazardous action based on that erroneous data, or to
not take appropriate action when action is required.”
– Implementing a formal and rigorous Preliminary System Safety Assessment (PSSA) and
System Safety Assessment (SSA) process, focussed on the display system, is an essential
step addressing this concern.
– Architecturally a display system which includes a GPU output monitoring scheme
implemented in the graphics pipeline to detect GPU anomalies that are unlikely to be
detected by the flight crew is a proven means to address this issue.
– Important to design software and firmware to support an airborne display system design
that mitigates the display of HMI by architectural means.
16. FAA Certification
CoreAVI’s DO-178B/C & DO-254 DER:
Marty Gasiorowski
martyg@wwcert.com
http://www.wwcert.com/
• CoreAVI provides its customers with formal FAA Form 8110-
3(s) for its certification product releases.
17. Embedded Graphics Software Support
OpenGL SC - Fixed Function
Pipeline Safety Critical Profile
OpenGL ES 2.0 - Programmable
Pipeline Shader Language
OpenGL 1.x - Fixed Function
Pipeline
Argus ES2SC – CoreAVI ES 2.0
based Safety Critical Profile
CoreAVI Embedded OpenGL Drivers
WindRiver VxWorks
VxWorks 653, MILS
Green Hills Integrity
Integrity 178
DDCI Deos
Sysgo/Thales PikeOS
Microsoft Windows
Linux
Proprietary
Other
Operating Systems Supported Standards Aligned
18. Software Drivers Designed for Safety Critical
• Designed and developed from ground up for FAA DO-178C / EASA ED-12C
Level A certification
• No 3rd party software IP use
• Scalable power and performance management
• Multicore, Multiple Threads / Applications and Multiple Secure Partitioning
• Hypervisor OpenGL module designed support multicore / multi-guest OS
• Drivers are integrated and compatible with HMI tools, SCADE, iData, Disti
• CoreAVI OpenGL SC – fixed function shader based implementation – Filed
Patent Pending
• Solutions aligned with Future Airborne Capability Environment (FACE™)
Technical Standard, Edition 2. 0
19. CoreAVI Certification Experience
• DO-178 B / C Certification of Graphics Software
• From Level D up to and including Level A
• Proven Formal Software Development Process
• Personnel Experienced with DO-178 B / C processes up to and
including Level A
• Level A Independence implemented on all activities independent of
Project designated assurance level (DAL)
• Four Stage of Involvement (SOI) Audits conducted by CoreAVI’s DER
and supported by SQA
• CoreAVI provides a position paper on CAST 29 (Use of CGP in
Airborne systems)
• Addresses E4690 / 8860 shaders
• DO-254 Certification Level C Artifacts for E4690 /8860